Overview: I have an application server running PHP 7, connecting to a separate database server running MongoDB 3.6.x using the MongoDB PHP userland library. I have firewall rules preventing access to the MongoDB server from all sources except the local and private interfaces (i.e. disallowing public IP access).
Connections via PHP look something like this:
$context_information = array(
"ssl" => array(
"allow_self_signed" => false,
"verify_peer" => true,
"verify_peer_name" => true,
"verify_expiry" => true,
"cafile" => "/path/to/ca_bundle"
));
$context = stream_context_create($context_information);
$connection = new MongoDB\Client(
$host,
array('ssl'=>true),
array('context'=> $context)
);
My MongoDB configuration looks something like this:
net:
port: 27017
bindIp: 127.0.0.1,10.138.196.241
ssl:
mode: requireSSL
PEMKeyFile: /path/to/my_ca_signed_cert
CAFile: /path/to/my_ca_bundle
my_ca_signed_cert is a .pem file generated using my openssl-generated RSA private key, as well as the CA-provided .crt file, in the manner described in the MongoDB manual, e.g. cat mongodb.key mongodb.crt > mongodb.pem. my_ca_bundle is the .ca-bundle provided to me by the CA.
Additionally, the ca_bundle described in the PHP context is the same .ca-bundle file as in the MongoDB config.
Problem: I continue to receive the following error:
[23-Jul-2018 16:33:33 America/Los_Angeles] PHP Fatal error: Uncaught MongoDB\Driver\Exception\ConnectionTimeoutException: No suitable servers found (
serverSelectionTryOnceset): [TLS handshake failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed calling ismaster on. . .
This issue persists even if I comment out the CAFile line for the MongoDB config. Also of note is that I can connect successfully when setting allow_self_signed to true if CAFile is commented out, but not when it's left uncommented.
Finally, when attempting to connect via the MongoDB shell, I get the following error:
2018-07-23T23:37:02.992+0000 E NETWORK [thread1] SSL peer certificate validation failed: unable to get issuer certificate
2018-07-23T23:37:02.992+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: unable to get issuer certificate :
connect@src/mongo/shell/mongo.js:251:13
@(connect):1:6
exception: connect failed
Expected Behavior: I don't want to use client certificate authentication for connecting to the database. All I want at present is for traffic to be encrypted. This means being able to connect to the database without allowing self-signed certificates.
Notes:
I have a cert set up successfully on the application server for HTTPS connectivity. Additionally, when testing the cert referenced in this question itself, I've successfully run verification on the files using
openssl verify -CAfile /path/to/my_ca_bundle /path/to/my_ca_signed_cert.Everything in my application code works when SSL is disabled or when enabled while allowing self-signed certs.
The documentation on all of this is incredibly vague on a number of points, so I'm not sure where my configuration is going wrong. What should I be looking into to resolve this problem?
